Hi, we have a quite strict security policy and libraries with a high rating CVSS are just automatically removed from our corporate mirrors.
We would like to create some custom rules for Sonarqube though, is there a plan to upgrade those sonar-plugin-api dependencies affected by vulnerabilities (some rating 10) ?
Sorry, I mis-read your link initially; my eyes swapped the ‘5’ and the ‘6’. You’re right. That was the most recent at the time you posted it.
We did just release 8.9.7 today, but it doesn’t address those CVEs.
These are about the H2 DB, which is embedded only for evaluation purposes. We’re very clear that it should not be used in production. I think we’ll probably upgrade the embedded H2 at some point, but there’s no rush.
This is about upgrading to Log4J 2.17.1. Again - and to be very clear about this - our security researchers didn’t find any way of exploiting the CVEs in previous point releases of the LTS. We have no current plans to upgrade the LTS for this.
For the rest, I don’t have an immediate answer, but I’m not aware of immediate plans to address them.